Envoy 1.16.0 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Confirmed regression from https://github.com/envoyproxy/envoy/commit/fa2a7dbe5f1a0847e0bcbdcb001bac5f80bc92d9
So only affects v1.16.0. OSSM 2.0 is still on 1.14.5. Also given how maistra/envoy works we absorbed the changes but never the regression.
OSSM 1.0 is 1.12.6, not vuln and oos.
Upstream fix: https://github.com/envoyproxy/envoy/pull/14132/commits/acc4a83bcfcc44c61e48b802cbb0972df3fdd4b5